Re: RFC; new SignatureAlgorithm for web browser interop

On Wed, 2006-03-29 at 22:22 +0200, Anders Rundgren wrote:
> I tried it but got an internal error.  Maybe the certificate issued by "SuckerTrust"
> for a user with the e-mail address boss@fire.hell was the culprit. :-)

Firefox, at least, is very finicky about what certificates it will
permit itself to use for the crypto.signText operation. Things that have
tripped me up so far include ensuring that: the CA cert is trusted for
the right things by the browser, the purpose bits are right on the
certificate, there's a master security password set in the browser (!),
and that the CA certificate has correctly formatted X509 fields.
Regrettably, the only way that you know if there's a problem is when
crypto.signText failes with 'error:internalError'. c'est la Mozilla.

I've attached a client certificate (password frog) and the corresponding
CA certificate - these work for me. YMMV. Be sure to trust the CA cert
or the purpose of the client certificate will show up as 'Unknown' and
it won't work.

> Apart from that, I have no objections to the conversion scheme,
> akthough I would like to see some more documentation if possible.

I'll keep the list apprised of progress; the next steps will be sorting
out key generation using the browser's CRMF request method, formalizing
the XML schema, and putting an AJAX frontend using this technique (and
including key generation) on the front of the existing web applications.

> The latter will
> be launched next week at the NIST PKI Workshop.

That's a somewhat annoying mis-schedule on my part - had I started
working on this a few months earlier, and realized the workshop was on,
I'd probably have attended. Ah well. I presume there'll be proceedings
published at some point.

m.